[jira] [Commented] (FLINK-5981) SSL version and ciper suites cannot be constrained as configured

[ASF GitHub Bot (JIRA)]

    [ 
https://issues.apache.org/jira/browse/FLINK-5981?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15900566#comment-15900566
 ] 

ASF GitHub Bot commented on FLINK-5981:
---------------------------------------

Github user WangTaoTheTonic commented on a diff in the pull request:

    https://github.com/apache/flink/pull/3486#discussion_r104828499
  
    --- Diff: 
flink-runtime/src/main/java/org/apache/flink/runtime/net/SSLUtils.java ---
    @@ -55,6 +58,42 @@ public static boolean getSSLEnabled(Configuration 
sslConfig) {
        }
     
        /**
    +    * Sets SSl version and cipher suites for SSLServerSocket
    +    * @param socket
    +    *        Socket to be handled
    +    * @param config
    +    *        The application configuration
    +    */
    +   public static void setSSLVerAndCipherSuites(ServerSocket socket, 
Configuration config) {
    +           if (socket instanceof SSLServerSocket) {
    +                   ((SSLServerSocket) 
socket).setEnabledProtocols(config.getString(
    +                           ConfigConstants.SECURITY_SSL_PROTOCOL,
    +                           
ConfigConstants.DEFAULT_SECURITY_SSL_PROTOCOL).split(","));
    --- End diff --
    
    By "do explicit handing", do you mean we should check if the elements in 
split resutls are both legal(must be one of `SSLv3, TLSv1, TLSv1.1....`)?
    
    BTW/FYI: This config also applies to akka, and it seems like akka only 
support single value setting but not multiple ones(It throws exception when I 
set the value to `TLSv1.1,TLSv1.2`).


> SSL version and ciper suites cannot be constrained as configured
> ----------------------------------------------------------------
>
>                 Key: FLINK-5981
>                 URL: https://issues.apache.org/jira/browse/FLINK-5981
>             Project: Flink
>          Issue Type: Bug
>          Components: Security
>            Reporter: Tao Wang
>            Assignee: Tao Wang
>
> I configured ssl and start flink job, but found configured properties cannot 
> apply properly:
> akka port: only ciper suites apply right, ssl version not
> blob server/netty server: both ssl version and ciper suites are not like what 
> I configured
> I've found out the reason why:
> http://stackoverflow.com/questions/11504173/sslcontext-initialization (for 
> blob server and netty server)
> https://groups.google.com/forum/#!topic/akka-user/JH6bGnWE8kY(for akka ssl 
> version, it's fixed in akka 2.4:https://github.com/akka/akka/pull/21078)
> I'll fix the issue on blob server and netty server, and it seems like only 
> upgrade for akka can solve issue in akka side(we'll consider later as upgrade 
> is not a small action).



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)